Security Researchers Don't Think Apple Pays Enough for Bug Bounties

[oneMadRssn]

Well if you do anything other than report it directly to Apple you're per definition a bad guy. As for the compensation, nobody made you mess around with Apple's systems, you decided to put your own time into it. So if you sell it to a bad
guy, it shows your morality and that you couldn't care less....

That's not necessarily true. Are you "per definition" a bad guy if you sell the bug to a legitimate law enforcement contractor? Like that Israeli company that helped the FBI crack open that iPhone 5C?

Personally, I wouldn't do that, but I also wouldn't automatically label all people that assist law enforcement as bad people.

 

[ddurkee]

It isn’t about being a bad guy its about being compensated for your work. How much is your time worth? Would you sell it short just because it is the ‘proper’ channel? Most wouldn’t.

If you're going to be honest here, the choice is selling it to Apple or selling it to criminals, for use in criminal activities.

 

[nelsonammo]

Why are they being cheap when the security of their software is at stake? They are one of the richest companies in the world. I know Tim wants the profit margins to be as high as possible but maybe cut a few % off them and use the money to pay for bugs, raise salaries of Apple store workers, pay people more for helping with the maps app (there was an article on macrumors recently on this), etc.

 

[Pbrutto]

Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?

Hands in my pants? Pajamas? No rent? 200,000 bucks? Count me in..... NOT /s

 

[KeanosMagicHat]

If you have personal data of a rich person (including credit card data) you will get more selling those data to the bad guys, than selling them to someone legally working (insurance company, yacht dealer etc). Does this mean you should always take bigger money and do not care who pays?

Depends on your moral compass.

I'd imagine the professional hackers just want the gap narrowed somewhat. No-one could reasonably expect to be paid the same as they would be by organised crime.

 

[Plutonius]

Sounds to me like they are asking for ransom.
[doublepost=1499377372][/doublepost]

Apple needs to adjust to market rates or above market rates (Apple can certainly afford it) to entice these folks in and lock their OS's and services down even further. Currently the 3 letter agencies and firms supporting despotic regimes (can cover alot can't it), don't want Apple raising those bounties...

Kick'm in the balls Apple, raise the rates and lock your vulnerabilities down further.

I think that the others would then raise their payments to beat Apple.

 

[KeanosMagicHat]

That's not necessarily true. Are you "per definition" a bad guy if you sell the bug to a legitimate law enforcement contractor? Like that Israeli company that helped the FBI crack open that iPhone 5C? . . .

I'd still say yes.

Sell it back to Apple and if Apple subsequently decides to create a "back door" that's up to them and customers can choose to respond accordingly with their purchase decisions from that point forward.

 

[vertsix]

actually this is good keep it up apple don't raise compensations

i want to be able to jailbreak ok? i don't like apple's walled garden

 

[dogslobber]

I'm assuming you're a software developer. If you create a software and have beta testers test run it, you won't find all the bugs that will haunt your software. I would assume you would need a higher level of experts to find these bugs, hence the bounty program. I hear what you're saying about doing it internally. I question that very same sentiment all the time as why do they need testers when they can easily do it themselves. Good point!

I merely empty bins for a living. What I’ll say about big company security teams in that they report into a chain of command who have conflicting interests. Internal security teams generally suffer from group think and it’s only the talented ones who can make a break for it as an independent. In other words they earn $110k as that’s all they’re worth.

 

[kdarling]

Sounds to me like they are asking for ransom.

I'd say that finding a way to access data in the Secure Enclave is worth a king's ransom to Apple's reputation.

Those talking about as if it were only someone's salary, totally miss what is being priced.

I think that the others would then raise their payments to beat Apple.

Up to a point. Others will only pay what the information is WORTH. Apple should be willing to do at least the same.

 

[citysnaps]

Apple is doing just fine.

 

[truthertech]

Why are they being cheap when the security of their software is at stake? They are one of the richest companies in the world. I know Tim wants the profit margins to be as high as possible but maybe cut a few % off them and use the money to pay for bugs, raise salaries of Apple store workers, pay people more for helping with the maps app (there was an article on macrumors recently on this), etc.

It doesn't work that way. If Apple raised the bounty, they would just get in a bidding war with each new bug that is found as security researchers, criminals, intel agencies, etc., would just announce that they would pay more. Apple set a reasonable bounty for someone who wants to work with them; there is no practical or sensible way to try and outbid others every time someone finds bug.

 

[MRrainer]

They should up it ten times, yes - and then the tax-payer should compensate them.
Because the government has created this very market and could shut it down any time, if they wanted to.

I mean, we don't have an open market for state secrets, either, right?
It's the NSA's fault, or the CIAs, or the DHS' or whoever if they leak a secret, right?
They should just work harder to protect their secrets!

But the lure of 0days is too good to stop.

Also, are there auction sites for this?
Or how does one determine what the "right" price for a vulnerability is?
How do you (as Apple Inc.) know somebody else is really paying a million for it, as the person trying to sell it is claiming?

Apple does clearly not want to increase the price of vulnerabilities - because it would draw even more people into looking for them (for a profit).

 

[Kaibelf]

It isn’t about being a bad guy its about being compensated for your work. How much is your time worth? Would you sell it short just because it is the ‘proper’ channel? Most wouldn’t.

Most naturally are comfortable going after the largest bidder, even if their work does nothing but provide tools for someone to exploit in order to harm end users for no reason. Thankfully I don’t identify with people who can put a price on their integrity. 250k for a dangerous critical flaw is plenty of money and IMHO only a complete jerk would demand more.

 

[Stella]

What?

There is this thing called Testing / QA. Apple develop their software, bugs are entirely their issue / fault! ( Third party libraries can still be tested for bugs / vulnerabilities and kept up to date ).


Now, you can never guarantee 0% bugs of course, but show stoppers, critical bugs should be removed as much as possible. If security is a priority, then Apple should have their own dedicated security team or outsource the job and put as much effort in finding security issues as necessary.

So, it's not necessarily Apple's fault that their software has bugs, they are not aware of it coz of security software companies want more money? How can Apple fix something they don't know they have? In a sense, they are being held hostage by their own product. Kinda counter productive but understandable from a researcher's standpoint. I would want to be compensated fairly too for my work.

I don't know exactly what is the going rate for bugs and how they determine these market prices but if Apple were to pay more, it opens up the floodgates for exuberant price tags for bugs being discovered. If they do, guess what? Those prices will be reflected on an already expensive Apple products on the consumer level. We are already paying premium prices for Apple products. This will only drive the prices even higher if they give in.

So what is fair exactly?

 

[reglian]

So, this Modern security Research businesses are spending millions in highly trained researches, such as yourself or the ones you described, so that they can find a bug and then decide: Do I sell this to Apple for $200k, or the the bad guys for $millions? Is that the purpose of these Modern Security Research Businesses? Honestly, it sounds more like Tech Crocks

I've been reading some of the comments here, as a new security researcher I find that some of your comments are victim of misconceptions that might be easily cleared up with some insight. For example:



For one, you might've been right if we were talking about security research from 20 years ago, when it wasn't taken so seriously. However, modern security research is a business in and of itself. It takes a lot of knowledge and training, but more importantly it takes resources. Most external security researchers will not have access to the source code of these applications or OS features that they are probing for vulnerabilities.

Most groups that actively search for vulnerabilities apply techniques like 'fuzzing' where they dedicate hardware to constantly throw input at an application or API until it breaks, and then the researcher figures out if that break is exploitable. These breaks appear in the forms of application crashes and kernel panics. Most kernel level vulnerabilities would sweep the top of the bounty range, since that would allow for access to a system beyond that of an administrator or super user. Getting back to the point, Apple Hardware does not exactly come cheap, and to compete with a lot of the top end researchers like Google's Project Zero, you're going to need a significant investment to even get started.

When any company considers how much to pay out, the company must analyze how frequently bugs are going to be discovered that are significant enough to be rewarded, how much a vulnerability in this particular application or device would be paid for to malicious actors, and what damage to the company would a complete outbreak of an exploit targeting your product would cause to the company's image. If vulnerabilities are going to be frequent, its best to not offer a bounty and to have a team work in-house to discover them - because you will be flooded by submissions from amateur researchers grabbing low-hanging fruit. If vulnerabilities are going to rare and deal high damage to the company's image, as is in Apple's case which champions their security, then the payout needs to be significant enough to compensate researchers for their investment of both time and resources.

I hope this clears things up for readers.

 

[69Mustang]

Most naturally are comfortable going after the largest bidder, even if their work does nothing but provide tools for someone to exploit in order to harm end users for no reason. Thankfully I don’t identify with people who can put a price on their integrity. 250k for a dangerous critical flaw is plenty of money and IMHO only a complete jerk would demand more.

General thought:
This thread is quite funny. Researchers suggesting that Apple should pay more for them helping provide security for Apple's customers are being greedy. Yet Apple, whom so many are defending, values their customer's security at a max of $200K. Let that sink in: your security is worth no more than $200K.

Vulnerabilities are a commodity. Apple values those commodities at a below market level. Others, be it government actors, security firms, or the criminal element, value those commodities at a much higher rate. None of those entities own Apple anything. They don't work for Apple. It's Apple's job to ensure the security of their customers. If Apple doesn't want to pay competitively then shouldn't customers question their dedication to their security?

@Kaibelf directly:
This is not a quote I expected from you. I've seen you post in multiple threads defending the concept of capitalism as it relates to business in general and Apple specifically. But in this situation you want to apply a moral gauge? Why?
Random commenter: Apple should sell their phones cheaper. More people can afford them.
You: Apple charges what the market will accept. If the phones were too expensive people wouldn't buy them.

Same principle here. Why should someone accept a lesser rate for their work from Apple, when the market is willing to pay more? To paraphrase one of your famous lines: If you were a business owner who had to support employees and a family, who would get your product?

 

[reglian]

You are comparing Apples to Oranges, pun intended.

The comments here are all over the place and go from: "pay for their time/work", which in actuality the current bounties seem fair, to "pay for what the information might be worth", including what criminals might pay for it. This just does not make any sense.

General thought:
This thread is quite funny. Researchers suggesting that Apple should pay more for them helping provide security for Apple's customers are being greedy. Yet Apple, whom so many are defending, values their customer's security at a max of $200K. Let that sink in: your security is worth no more than $200K.

Vulnerabilities are a commodity. Apple values those commodities at a below market level. Others, be it government actors, security firms, or the criminal element, value those commodities at a much higher rate. None of those entities own Apple anything. They don't work for Apple. It's Apple's job to ensure the security of their customers. If Apple doesn't want to pay competitively then shouldn't customers question their dedication to their security?

@Kaibelf directly:
This is not a quote I expected from you. I've seen you post in multiple threads defending the concept of capitalism as it relates to business in general and Apple specifically. But in this situation you want to apply a moral gauge? Why?
Random commenter: Apple should sell their phones cheaper. More people can afford them.
You: Apple charges what the market will accept. If the phones were too expensive people wouldn't buy them.

Same principle here. Why should someone accept a lesser rate for their work from Apple, when the market is willing to pay more? To paraphrase one of your famous lines: If you were a business owner who had to support employees and a family, who would get your product?

General thought:
This thread is quite funny. Researchers suggesting that Apple should pay more for them helping provide security for Apple's customers are being greedy. Yet Apple, whom so many are defending, values their customer's security at a max of $200K. Let that sink in: your security is worth no more than $200K.

Vulnerabilities are a commodity. Apple values those commodities at a below market level. Others, be it government actors, security firms, or the criminal element, value those commodities at a much higher rate. None of those entities own Apple anything. They don't work for Apple. It's Apple's job to ensure the security of their customers. If Apple doesn't want to pay competitively then shouldn't customers question their dedication to their security?

@Kaibelf directly:
This is not a quote I expected from you. I've seen you post in multiple threads defending the concept of capitalism as it relates to business in general and Apple specifically. But in this situation you want to apply a moral gauge? Why?
Random commenter: Apple should sell their phones cheaper. More people can afford them.
You: Apple charges what the market will accept. If the phones were too expensive people wouldn't buy them.

Same principle here. Why should someone accept a lesser rate for their work from Apple, when the market is willing to pay more? To paraphrase one of your famous lines: If you were a business owner who had to support employees and a family, who would get your product?

 

[69Mustang]

You are comparing Apples to Oranges, pun intended.

The comments here are all over the place and go from: "pay for their time/work", which in actuality the current bounties seem fair, to "pay for what the information might be worth", including what criminals might pay for it. This just does not make any sense.

Apologies, but I don't know what point you're trying to convey.

 

[tw1ll]

How is it that Apple spend $billions on R&D but have to offer rewards to find vulnerabilities in their systems?

 

[hotgril]

Well if you do anything other than report it directly to Apple you're per definition a bad guy. As for the compensation, nobody made you mess around with Apple's systems, you decided to put your own time into it. So if you sell it to a bad
guy, it shows your morality and that you couldn't care less....

That's not the issue. The problem is the "good guys" won't bother looking for Apple's bugs in the first place if the bounties are small. Edit: Also, yeah, someone above mentioned that they might hand it over to law enforcement.
[doublepost=1499385496][/doublepost]

How is it that Apple spend $billions on R&D but have to offer rewards to find vulnerabilities in their systems?

Apple only has to pay when someone finds a vulnerability, so they might as well offer bounties just in case their own R&D doesn't find it. A lot of these are so crazy that someone on the inside might not even get on the right track to find them.

 

[Rocketman]

Entities keep bugs private to sell them on the dark web. Buy them on the dark web!

 

[LordVic]

Isn't this pointless though, I mean, if the person who found the bug is a bad guy he's not going to report it to Apple regardless.....

that's why they pay bounties though. The bounties companies pay tend to be far higher than they could generally earn through their malicious activities.

this wouldn't sway someone who just "wants to watch the world burn". but probably sway enough who are in it for a few bucks.

it also helps encourage the right sort of hackers to help Apple identify bugs / holes they didn't. if Apple is going to pay $200000 for a single bug of the firmware, if you're someone who can and does enjoy doing that sort of work that's a payday.

as for how Apple's pay relates to the rest of the market I don't know.

 

[manu chao]

That's not necessarily true. Are you "per definition" a bad guy if you sell the bug to a legitimate law enforcement contractor? Like that Israeli company that helped the FBI crack open that iPhone 5C?

Or selling directly to "law enforcement" like the CIA or NSA (ok I should have called that U.S. governmental agencies or that of other countries you consider on balance decent enough).

 

[BoulderAdonis]

Seems a fair amount. How much are they supposed to pay a bunch of guys in their jammies in their parents basement with one hand in their pants?

Chances are, if they have the skillz to earn the bounty - they are sitting in their *own* basement in their jammies with one hand in their pants. Anybody with the technical know how, should easily be earning 6 figures ...